// CMMC v2.0 expert for DoD contractors. Covers NIST 800-171 Rev 2 (14 families, 110 controls), SPRS scoring, POA&M rules, 32 CFR Part 170, DFARS clauses, scoping, ESP/CSP, C3PAO assessment lifecycle, and Rev 2 → Rev 3 transition.
Build and deploy a production-ready Trust Center for any company. Use this skill whenever someone asks to create a trust center, compliance portal, security page, or wants to publish their SOC 2/SOC 3/ISO 27001/HIPAA/compliance posture publicly. Also triggers when someone mentions gated document access for audit reports, NDA-based document sharing, or wants to replace paid trust center tools like Secureframe, Vanta, Drata, or SafeBase. Even if they just say "I need a place to share my SOC 2 with customers" — that's a trust center. Use this skill.
NIST Cybersecurity Framework v2.0 expert. Reference-depth knowledge of the six Functions (Govern, Identify, Protect, Detect, Respond, Recover), Categories and Subcategories, Profiles (Current vs Target), Tiers, Implementation Examples, and the practitioner workflow of using CSF as a board-readable cybersecurity outcomes language. Backed by the SCF crosswalk for control-by-control mechanics.
Verbatim reference for all 320 NIST 800-171A Rev 2 assessment objectives, plus the Rev 2 → Rev 3 control crosswalk. Use for AO-level lookups (e.g., 3.1.1[c]), evidence planning, and forward-mapping to Rev 3. Pairs with cmmc-expert.
Interpret testssl-inspector normalized findings, recommend remediations, and tie evidence back to SCF anchor controls plus SOC 2 / NIST 800-53 r5 / PCI DSS 4.0.1 / ISO 27002:2022 equivalents derived from SCF crosswalks.
Scaffolds a complete React/Vite website project from site-config.json. Generates components, styles, and configuration based on the site type and plan data.
Sets up GitHub Actions CI/CD workflow for automatic deployment to AWS on push to main. Uses GitHub OIDC for keyless AWS authentication.
| name | cmmc-expert |
| description | CMMC v2.0 expert for DoD contractors. Covers NIST 800-171 Rev 2 (14 families, 110 controls), SPRS scoring, POA&M rules, 32 CFR Part 170, DFARS clauses, scoping, ESP/CSP, C3PAO assessment lifecycle, and Rev 2 → Rev 3 transition. |
| allowed-tools | Read, Glob, Grep, Write |
Deep, practitioner-grade expertise in the Cybersecurity Maturity Model Certification (CMMC) v2.0 for Department of Defense contractors. Built from the authoritative chain: NIST SP 800-171 Rev 2 (control text), NIST SP 800-171A Rev 2 (320 assessment objectives), 32 CFR Part 170 (CMMC program rule), and 48 CFR / DFARS Part 204.75 (acquisition rule).
Purpose: Standardize verification of NIST SP 800-171 cybersecurity controls across the Defense Industrial Base (DIB) protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
Authority chain:
Authoritative sources to cite in deliverables:
All dates keyed to November 10, 2025 (DFARS rule effective date).
| Phase | Window | What's in contracts |
|---|---|---|
| Phase 1 | 2025-11-10 → 2026-11-09 | L1 (Self), L2 (Self); L2 (C3PAO) at DoD discretion |
| Phase 2 | 2026-11-10 → 2027-11-09 | + L2 (C3PAO) as routine contractual requirement |
| Phase 3 | 2027-11-10 → 2028-11-09 | + L3 (DIBCAC) for high-sensitivity programs |
| Phase 4 | 2028-11-10 and beyond | All applicable solicitations require appropriate CMMC level |
Triennial re-assessment + annual affirmation throughout the certification cycle.
| Level | Name | Practices | Source | Assessment | POA&M Allowed | Cycle |
|---|---|---|---|---|---|---|
| Level 1 | Foundational | 15 | FAR 52.204-21 | Self only | No — never | Annual self + annual affirmation |
| Level 2 | Advanced | 110 | NIST SP 800-171 Rev 2 | Self or C3PAO | Yes — restricted (see §11) | Triennial + annual affirmation |
| Level 3 | Expert | 134 (110 + 24 selected from 800-172) | NIST SP 800-171 Rev 2 + 800-172 | DCMA DIBCAC | Per DIBCAC methodology | Triennial + annual affirmation |
Acronyms used here (correctly):
Who needs what:
These are the only 14 families in Rev 2. Any reference to Asset Management (AM), Recovery (RE), Risk Management (RM), or Situational Awareness (SA) as 800-171 families is incorrect — those names belong to CMMC v1.0 or to other catalogs.
| # | ID | Family | Controls |
|---|---|---|---|
| 1 | AC | Access Control | 22 |
| 2 | AT | Awareness and Training | 3 |
| 3 | AU | Audit and Accountability | 9 |
| 4 | CM | Configuration Management | 9 |
| 5 | IA | Identification and Authentication | 11 |
| 6 | IR | Incident Response | 3 |
| 7 | MA | Maintenance | 6 |
| 8 | MP | Media Protection | 9 |
| 9 | PS | Personnel Security | 2 |
| 10 | PE | Physical Protection | 6 |
| 11 | RA | Risk Assessment | 3 |
| 12 | CA | Security Assessment | 4 |
| 13 | SC | System and Communications Protection | 16 |
| 14 | SI | System and Information Integrity | 7 |
| TOTAL | 110 |
Numbering scheme: Chapter.Family.Requirement (e.g., 3.1.1 = Chapter 3, AC family, Requirement 1). Each requirement is either Basic (high-level) or Derived (technical implementation specifics) in Rev 2.
Each 800-171 requirement decomposes into lettered assessment objectives (e.g., 3.1.1[a]–[f]). All objectives within a practice must be satisfied for the practice to be Met in a C3PAO assessment.
| Family | Controls | Assessment Objectives |
|---|---|---|
| 3.1 Access Control | 22 | 70 |
| 3.2 Awareness & Training | 3 | 9 |
| 3.3 Audit & Accountability | 9 | 29 |
| 3.4 Configuration Management | 9 | 44 |
| 3.5 Identification & Authentication | 11 | 25 |
| 3.6 Incident Response | 3 | 14 |
| 3.7 Maintenance | 6 | 10 |
| 3.8 Media Protection | 9 | 15 |
| 3.9 Personnel Security | 2 | 4 |
| 3.10 Physical Protection | 6 | 16 |
| 3.11 Risk Assessment | 3 | 9 |
| 3.12 Security Assessment | 4 | 14 |
| 3.13 System & Comms Protection | 16 | 41 |
| 3.14 System & Info Integrity | 7 | 20 |
| TOTAL | 110 | 320 |
These drive the bulk of assessment effort and evidence burden:
| Control | Objectives | Evidence focus |
|---|---|---|
| 3.4.7 | 15 | Port/protocol/service documentation (most objectives of any control) |
| 3.13.1 | 8 | Network boundary definition + monitoring/control/protection |
| 3.4.5 | 8 | Change control access restrictions (physical AND logical) |
| 3.12.4 | 8 | SSP completeness (boundary, environment, connections, update freq) |
| 3.6.1 | 7 | IRP covering all incident response phases |
| 3.6.2 | 6 | Incident reporting chain (internal + external) |
| 3.1.1 | 6 | User/device/process inventory + access restrictions |
| 3.1.20 | 6 | External system agreements + connection controls |
| 3.3.1 | 6 | Audit log configuration + retention policy |
| 3.3.8 | 6 | Log protection controls |
| 3.4.1 | 6 | Baseline config + asset inventory |
| 3.13.2 | 6 | Secure architecture documentation |
| 3.14.1 | 6 | Flaw ID/report/correct with defined timeframes |
| 3.1.3 | 5 | Data flow diagrams + flow enforcement |
| 3.1.22 | 5 | Public web content review process |
Per NIST SP 800-171A Rev 2, assessors use exactly three methods (not four). The verb "Determine" that opens each assessment objective is not a method — it's the assessor's overall judgment, supported by E/I/T evidence.
| Method | What it is | Depth attributes |
|---|---|---|
| Examine | Reviewing, inspecting, observing, studying, or analyzing assessment objects (specifications, mechanisms, activities) | Basic / Focused / Comprehensive |
| Interview | Discussions with individuals or groups to facilitate understanding, achieve clarification, or obtain evidence | Basic / Focused / Comprehensive |
| Test | Exercising assessment objects under specified conditions to compare actual vs. expected behavior | Basic (black box) / Focused (gray box) / Comprehensive (white box) |
Assessment objects assessors examine or test:
Practitioner rule of thumb: For each AO, the OSC should be able to produce (1) the document/specification, (2) the technical artifact or screenshot showing the mechanism is configured, and (3) at least one person who can speak to operating the control.
cui.archives.gov.Two flavors:
Confidentiality impact value: No less than FIPS 199 moderate.
Boundary scope rule (key to scoping): 800-171 requirements apply only to components that process, store, or transmit CUI, or that provide protection for such components.
Marking expectations:
CUI//SP-PRVCY).Per 32 CFR 170.19 and the CMMC L2 Scoping Guide, each asset falls into one of five categories. Proper categorization can dramatically reduce assessment burden and cost.
| Category | What it is | CMMC treatment |
|---|---|---|
| CUI Assets | Process, store, or transmit CUI | All 110 controls apply |
| Security Protection Assets | Provide security services to CUI Assets (firewalls, IDS/IPS, SIEM, VPN, MDM, patch mgmt, AD/LDAP) — may not touch CUI directly | Applicable security requirements apply |
| Contractor Risk Managed Assets (CRMA) | Can technically reach CUI Assets but aren't required to process CUI (jump hosts, admin workstations) | Contractor-developed risk-based approach, documented |
| Specialized Assets | OT/ICS, IoT, Government Furnished Equipment | Tailored — document applicability and any compensating controls in the SSP |
| Out-of-Scope Assets | Isolated; no connection path to CUI systems | Not subject to CMMC — but isolation must be technically demonstrated, not merely asserted |
The most commonly misunderstood area of CMMC. ESPs and CSPs follow different rules.
A third-party providing cloud services (SaaS / PaaS / IaaS) where CUI is processed, stored, or transmitted.
Common CSP options for CUI:
| Platform | FedRAMP | Notes |
|---|---|---|
| Microsoft 365 GCC High | High | Suitable for most DoD CUI, including ITAR |
| Microsoft Azure Government | High | |
| AWS GovCloud | High | |
| Microsoft 365 GCC | Moderate | Limited CUI types; not suitable for ITAR/EAR |
| Google Workspace Enterprise | Moderate (some configurations) | Validate per use case |
ITAR/EAR caution: A CSP can be FedRAMP-authorized and technically eligible — but still ineligible to process specific CUI categories due to export-control restrictions on foreign-national access. Evaluate CUI category restrictions independently of FedRAMP authorization.
A third-party that is not cloud-based but whose services implement 800-171 controls or that processes/stores/transmits CUI on the OSA's behalf.
Common ESPs: MSSPs (SOC, SIEM), MSPs (patching, endpoint management), outsourced IT/AD admins, physical security monitoring vendors.
Rules (32 CFR 170.19 / 170.16):
Decision tree:
Is the third-party service cloud-based?
├── YES → CSP → FedRAMP Moderate (or higher) authorization required
└── NO → ESP → Include in scope OR get ESP CMMC-certified
Per the regulation (unless DoD specifies otherwise), the prime contractor determines the CMMC level required for each subcontractor based on the data the sub will handle.
| Prime's requirement | Sub handling FCI only | Sub handling CUI |
|---|---|---|
| L2 (Self) | L1 minimum | L2 (Self) minimum |
| L2 (C3PAO) | L1 minimum | L2 (C3PAO) minimum |
| L3 (DIBCAC) | L1 minimum | L2 (C3PAO) minimum (unless DoD specifies higher) |
Prime obligations:
Practical advisory: Primes should build supplier cybersecurity verification into procurement processes now. Waiting until Phase 2/4 to verify subs will create supply chain disruptions.
| Concept | What it is | Where it lives |
|---|---|---|
| SPRS Score | Numerical (e.g., 98/110) from DoD Assessment Methodology self-assessment | SPRS (contractor-submitted) |
| CMMC Status | Categorical (Conditional L2 / Final L2 / etc.) from a CMMC assessment under 32 CFR 170 | SPRS (self) or eMASS (C3PAO) |
During Phase 1, a current SPRS score from a valid self-assessment is the CMMC L2 (Self) status.
Under DFARS 252.204-7019/7020:
| Tier | Conducted by | Rigor | SPRS effect |
|---|---|---|---|
| Basic | Contractor self | Low (honor system) | Contractor submits score |
| Medium | DoD records/interview review | Medium | DoD adjusts score if gaps found |
| High | DIBCAC on-site | High | DIBCAC score supersedes contractor's |
SPRS = 110 − Σ (deductions for not-implemented or partially-implemented controls)
A single Not-Implemented finding on any of these costs 5 points and — for most of them — is not POA&M-eligible. Verify against the current CMMC Scoring Methodology before client-facing work.
A Plan of Action & Milestones is a time-bound documented plan to remediate identified deficiencies. Under CMMC, POA&Ms are not a general remediation tool — they are tightly restricted.
Rule 1 — Level 1 = NO POA&Ms ever. Per 32 CFR 170.21(a)(1). All 15 FAR 52.204-21 practices must be fully implemented at time of self-assessment submission. No exceptions.
Rule 2 — Level 2 POA&Ms require a passing score of ≥ 80%. Per 32 CFR 170.21(a)(2)(i). Assessment score ÷ 110 must be ≥ 0.8 → ≥ 88 of 110 practices must be MET before any POA&M is allowed.
Rule 3 — Only 1-point practices on POA&M, with one exception. Per 32 CFR 170.21(a)(2)(ii). No practice on a POA&M may have a point value greater than 1. The single exception: SC.L2-3.13.11 (FIPS-validated cryptography) may be on a POA&M at its 3-point value only if encryption is in use but not yet FIPS-validated. If encryption is not employed at all, 3.13.11 carries its full 5-point weight and is not POA&M-eligible.
| Scenario | Encryption posture | Deduction | POA&M eligible? |
|---|---|---|---|
| A | None | 5 pts | No — assessment fails |
| B | In use, not FIPS-validated | 3 pts | Yes |
| C | FIPS-validated in use | 0 pts | n/a — fully Met |
Practitioner play: Before assessment, get clients to implement encryption (even if not yet FIPS-validated) — converts a disqualifying 5-point hit into a POA&M-eligible 3-point hit.
Per 32 CFR 170.21(a)(2)(iii), the following are explicitly ineligible regardless of point value:
Operational POA&Ms (continuous improvement tracking under normal NIST practice) are separate from CMMC assessment POA&Ms (formal regulatory constructs with 180-day clocks). Don't conflate them.
At the assessment objective level, each AO produces one of:
At the practice level, the rollup is:
Findings language convention in deliverables:
3.1.1[a]).After initial CMMC Status, a senior company official must affirm in SPRS/eMASS each year that:
Frequency: within one year of initial CMMC Status Date, then annually for the 3-year cycle. Material changes may trigger re-assessment.
CMMC creates real FCA exposure — context every client conversation should include:
What creates exposure:
Safe-harbor posture: an honest, low SPRS score plus a credible POA&M is defensible. An inflated score is not. Accurate reporting + credible remediation = manageable risk; inflated reporting = potential criminal exposure.
CMMC is currently based on 800-171 Rev 2 only. Rev 3 (May 2024) is the forward horizon — not operative for CMMC until DoD adopts it (no announced date).
| Metric | Rev 2 | Rev 3 |
|---|---|---|
| Control families | 14 | 17 (adds PL, SA, SR) |
| Total requirements | 110 | ~97 (net — many consolidations) |
| Numbering | 3.X.Y | 03.X.Y (leading zeros) |
| Basic/Derived distinction | Yes | Eliminated |
| ODPs | None | Introduced |
| Family renames | — | CA → "Security Assessment and Monitoring" |
Introduced in Rev 3. Select requirements contain [Assignment: organization-defined X] values that must be defined by either the contracting federal agency or the contractor. Once defined, they become assessable scope.
ODP categories:
ODP planning for clients pre-adoption:
Some clients have implemented Rev 3-style controls and believe they're covered. Rev 2 has specific requirements that Rev 3 softened with ODPs — for current CMMC assessments, the Rev 2 language governs:
Replaces the loose gap list with practitioner-confirmed patterns mapped to specific assessment objectives.
| Gap | Practices / AOs | Why it fails |
|---|---|---|
| MFA partial — admins only, not all network users | IA.L2-3.5.3 (all AOs); related 3.1.12 | Rev 2 requires MFA for network access to non-privileged accounts; "admins only" does not satisfy |
| SMS or push-only MFA | IA.L2-3.5.3 | Phishing-resistant MFA expected; SMS increasingly called out |
| Account review records missing | AC.L2-3.1.1[d–f]; 3.1.5[a–d] | Policy exists but no documented periodic review evidence |
| Asset inventory incomplete / no network diagram | CM.L2-3.4.1[a–f]; CA.L2-3.12.4 | Baseline configuration cannot be asserted without inventory |
| Audit log retention without review | AU.L2-3.3.1[e–f]; 3.3.5 | Logs generated but never analyzed — fails Examine + Interview |
| IR plan untested or no 72-hour reporting process | IR.L2-3.6.1[a–g]; 3.6.3; DFARS 7012 | Plan exists but exercises absent; DIBNet reporting workflow undocumented |
| No baseline configurations / informal change control | CM.L2-3.4.1; 3.4.3; 3.4.5[a–h] | Required artifacts (baselines, change records) cannot be produced |
| Allow/deny software policy missing | CM.L2-3.4.8 | Policy-only without enforcement evidence; technical control required |
| FIPS-validated crypto unconfirmed | SC.L2-3.13.11; 3.13.8; 3.13.16 | Encryption in use but not via CMVP-validated module — 3-pt POA&M if encryption present, 5-pt fail if not |
| No documented deny-by-default boundary rule | SC.L2-3.13.6 | Implicit allow rules undermine flow control |
| CUI at rest not encrypted | SC.L2-3.13.16 | Common on endpoints; full-disk encryption alone may not satisfy if CUI is in cloud sync folders |
| SSP not current | CA.L2-3.12.4[a–h] | SSP exists but stale; assessor wants current state |
| Patch SLAs without evidence | SI.L2-3.14.1; RA.L2-3.11.3 | Policy says "30 days" but no records demonstrate it |
| AV not auto-updating | SI.L2-3.14.4; 3.14.5 | Signatures stale; tool report shows last update |
| Vulnerability scanning gap | RA.L2-3.11.2; 3.11.3 | Authenticated scans not configured; remediation cadence undocumented |
| External system connections unmanaged | AC.L2-3.1.20; 3.1.21 | No agreements with external systems; portable storage uncontrolled |
| Public-facing system content control | AC.L2-3.1.22 | No review process for what posts publicly |
These require technical implementation evidence, not just a policy document:
cui.archives.govAuthoritative locations: dodcio.defense.gov/CMMC/, cyber.mil, cyberab.org, sprs.csd.disa.mil, dibnet.dod.mil (incident reporting).
This skill supports: